Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2021-3064

Disclosure Date: November 10, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Lateral Movement
Techniques
Validation
Validated

Description

A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.

Add Assessment

0
Ratings
Technical Analysis

Interesting bug in that this is a high value exploit against Palo Alto Network’s GlobalProtect VPN, which allows unauthenticated attackers to gain root level code execution on target systems. That being said, attackers must have access to the GlobalProtect interface to exploit this issue. However this is just if we consider this bug on its own. They also mention that researchers at Randori managed to find a way to combine this bug with a HTTP Smuggling attack to turn this into a fully working RCE exploit. For this reason I’ve rated this as a 4/5 on value: it does require some additional bugs but its super useful: going from no access on the network to full root level access on a VPN controller is a dream come true for a lot of attackers, particularly when exploitation is meant to be pretty easy.

The technical details mention that this is a classic stack based buffer overflow into a fixed size stack buffer, and that whilst ASLR is present on non-virtualized devices that does make exploitation a bit harder, most virtualized devices do not have ASLR enabled, making exploitation significantly easier. They also mention that they did not yet exploit MIPS based systems due to their big-endian architecture, and although this is likely due more to unfamiliarity than technical complexity, it is something to consider.

I can see this being particularly useful on internal engagements given the supposed relative ease of exploitation, and also by APTs. Widespread exploitation may occur if one can figure out the HTTP Smuggling attack mentioned; once that gets figured out publicly I imagine this will be a ripe target for exploitation given its relative easy and extremely high value.

More details will supposedly be given out by Randori on December 14th, although it is worth noting this bug was patched quite a while ago. See the Twitter thread at https://twitter.com/GossiTheDog/status/1459189710945980416 and https://twitter.com/_MG_/status/1459024603263557633 where it was noted that the fixed version was released way back in September 2020 with PanOS 8.1.17. Unfortunately it is a bit hard to note some of this and there has been some confusion due to the release notes not containing full information, and only later being updated to note that this issue was patched within them.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Palo Alto Networks

Products

  • PAN-OS,
  • Prisma Access

Additional Info

Technical Analysis